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Agenda 


“Shift Left” Migration & Requirements 


Your responsibility in cloud security 
Customer Case Studies 


Qualys Security for hardening and 
standardizing workloads 


Qualys security for Infrastructure 
Use Cases & Demo 


Q&A 
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DevOps/DevSecOps Reduirements... 


ss EN! À 


A kubernetes : 
e iJ Jenkins > 
> > b P puppet DevSecOps Engineer 
> 
[ez O & Bamboo ay Responsible for 
DEVELOPERS PES automating 
ANSIBLE security checks 
| | and remediating 
viable security 
threats in 
development/ 
deployment 
practices 


AUTOMATION & ACTIONABLE DATA .... 
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The New IT - 
Hybrid, Multi-Cloud Deployment 


ON-PREMISE* PUBLIC CLOUD 
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Shared Security Responsibility 
Model 
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are responsible for securing 
your data and workloads 


Varies by layers 


Image from Microsoft Azure Shared Security Responsibility © Qualys. 


Securing Cloud Workloads 


Hardening and Standardizing 


VULNERABILITY 
MANAGEMENT 


* Vulnerability Management 
(Internal & Perimeter) 

* Threat Protection 

e Indicators of Compromise 

e Patch Management” 


POLICY COMPLIANCE 


Poll Compliance (incl. 
Secure Configuration 
Assessments) 


* File Integrity Monitoring 
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APPLICATION 
SECURITY 


* Web Application Scanning 
(WebApps and REST APIs) 
* Web Application Firewall 


© Qualys. 


Securing 
Public Clouds 


Using Qualys 


Customer Case Studies 


CapitalOne 


Reduced application 
releases from 2 weeks to 
24 hrs by automating 
security with Qualys in 
to DevOps 


A BEVERAGE , @\° 
e 


MNC 


Enabling DevOps with 
automated agent 
deployrnent via Azure 
Security Center 
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CapitalOne 
Before: Lack of Security Automation 


Delays Release 


MEKA ITS vel 
Builders e, 


Two weeks until the Image (AMD is certified for production 
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Capital One 
Introducing Security at the Source Bake 
Qualys Security into Gold Images and AMI 


APPROVE and 


os GOLD ee GUALYS ASSESS HARBENDED 
AMAZON MACHINE > oeiia t > ‘stances D ee EE 
IMAGE (AMI) 


Live Instances 


Bakery process happens within 24 Hrs 
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À Beverage MNC Company g 


Qualys Automation within Azure Security Center 


ulnerabilities (by Qualys) je) (9 503 O (9 hsrinivasan@qualys.c.. ] 


DEVPASSPORTQUALYS (DEFA.. € | 


Fast growing deployment TANT FES Remediate vulnerabilities (by Qualys) EI x 
( added 10K instances in 6 months) Leu 


Problem”? 


Ops wants to simplify the process of 
security tools rollout 


Security wants to participate into 
DevOps 


VULNERABILITY NAME ^ VENDOR ^ AFFECT... ^ STATE x SEVERITY ^ 


Enabled DCOM Qualys harivm2 Open @ High 


Allowed Null Session Qualys harivm2 Open A Medium 


Enabled Cached Logon Cre... Qualys harivm2 Open A Medium 


Machine Information Disc... Qualys harivm2 Open A Medium 


Microsoft Windows Explore... Qualys harivm2 Open A Medium 


Windows Explorer Autopla.. Qualys harivm2 Open A Medium 


Solution 


Utilizing Qualys integration with 
Azure Security Center 


Access to File Share is Enab... harivm2 @ Low 
@ Low 


Antivirus Product Not Dete... Qualys harivm2 Open @ Low 


Qualys Open 


ActiveX Controls Enumerated Qualys harivm2 Open 


@ Low 
@ Low 


Disabled Clear Page File Qualys harivm2 Open 


Enabled Caching of Dial-up... Qualys harivm2 Open 


Utilize ASC automation to bake 
agents into test subscription and 


review reports with ASC 


Enabled Display Last Usern... Qualys harivm2 Open @ Low 


File Access Permissions for... Qualys harivm2 Open © Low 


File Access Permissions for... Qualys harivm2 Open @ Low 


Host Scan Time Qualys harivm2 Open @ Low 
Hyper-V Host Information... Qualys harivm2 Open @ Low 
Installed Applications Enu... Qualys harivm2 Open © Low © Qualys. 


Internet Protocol version 6... Qualys harivm2 Open @ Low 


New and 
Upcoming 
Features 


Simplifying 
Perimeter 
Vulnerability 
Detection 


Support for Azure 
and Azure Stack 


Cloud 
Perimeter Scan 


Launch DNS based scans on public 
instances auto selected from your 
account via connectors 


Add Elastic Load Balancer DNS 


Generate results with external only 
remote check vulnerabilities 


Supports AWS EC? today, Azure, 
GCP support Is Coming soon 


Vulnerability Management v 


Dashboard 


[3 Scans 


v 


Cloud Perimeter Scan 


Scans Reports Remediation 


Scans Maps Schedules 


New y | Search | Filters w My Scans | Auto selects 


Scan Public 
| EC2 Scan Instances. 
Schedule Scan 
Add Load 


Balancer's DNS 


Host b 


Launch Cloud Perimeter Scan 1 rn help tips: 


| Off 


Launch Help 


Step 3 of 6 


o Scan Details 


o9 Target Connector 


Target Hosts 


Filter by Specific Tags 


Include hosts that have Any LM ofthe tags below 


eo Target Hosts (Optional) 


4 


Scheduling (Optional) 


Add DNS List (For intenet 


t facing ELBs) 


Remove Selected | Remove All 


Assigned Hostnames: 


ontinue 


Azure 
Connector 
in Asset View 


Coming Jan. 2019 


Dashboard Assets Templates Connectors 


Step 1 of 4 


o Connector Details 


A 


* Subscription ID Last Sync Errors Modules. Asset Count Regions. 
E aix) mono - Caco a: js Ps 


Tum help tips | Off Launchhelp X 


Connector Details 


Name” (*) REQUIRED FIELDS 


[example: My Connector 


This field is required 


Description 


Set up authentication details 
Create an application in active directory and provide reader role access to the subscription. 


Application ID 


[ 


Directory ID 


Authentication Key 


Subscription ID 


Azure Scan Flow 


Launch Cloud Scan 


Step 3 of 6 Target 


@ cloud Piattorm 


@ scan details 
@ Target 
4 Scanner Appliance 


Coming Jan. 2019 


Launch Cloud Scans 
on Azure Internal 
(Private) and 
External 

(Public )Virtual 
Machines Scanner 


Launch by Virtual 
Machine ID and NOT 
by IP 


Report by Virtual 
Machine IDs 
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Cloud Workload Security with Qualys 
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aws A azure O `N Alibaba Cloud ORACLE 
A À 3 i s Google CloudPlatform c J LER Ad 


* PaaS - Cloud Database Scanning - Roadmap 1H ‘19 
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Cloud Integrations 


Azure Security Center (VM) 
-Production 


AWS Security Hub 
- Public Preview - Nov 28, 2018!!! 


Google Security Command Center 
- Beta in December 2018 


Other Integrations 


IBM Security Center 
- Dec2018/Jan 2019 


Alibaba Security Center 
- QI/Q2 2019 


( 


Summary 


Æ Google Cloud Platform 


AWS Security Hub X 
beta) 


Security Hub 


Insights (37) info 


Security Command Center 


DASHBOARD 


Assets 


ASSET INVENTORY 


MyOrg v 


a 


INDINGS 


Findings 
Finding Summary 
20 current findings 
Finding source 


Qualys 
EchoSource 


Foxtrot Source 


VIEW ALL FINDINGS 


Echo Source 
5 current findings 


Finding type 
Finding A 
Finding B 
Finding C 


Finding D 


VIEW ALL FINDINGS 


@ Oualys 
13 current findings 


Severity Level 
Severit, y 5 
Severit, y 4 
Severity 3 
Severity 2 
Severity 1 


2 g 
Noa wn $ 


Qualys findings summary 


Foxtrot Source 


© Qualys. 


Australian Insurance Company 


Visibility of deployments stop misuse 


of keys 


AWS sent a notice of compromised keys 
A attempting to create multiple accounts in EU 


Use Case 
Identify the resources in EU region, find the Amazon S3 
buckets which are open to public and have the keys stored 


Requirement 

e Identify where the deployments are located 

* Identify Amazon S3 buckets that are public and fix it 

* Ensure best practices are followed by IAM users of the 
eec OB 


Company Profile 


Largest provider of Auto B 
and Agriculture insurance 


INDUSTRY: Insurance 


REGION: Australia 


CLOUD: 
Primary Cloud - AWS 
Secondary Cloud- Azure 


DEPLOYMENT REGION: 
Australia 


SERVICES USED: 
EC2 S3 RES EMR Cloud 
Front 
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We need to secure against... 


Misconfigurations 


| 
E m e. 
Malicious behavior "P ; e 
ak à o” Te (u m- 
Accounts & Network ministrative 
Non-standard deployments om is pos 
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Qualys Cloud 
Inventory and 


security e 
CI 
Assessments 
Unparalleled Visibility and Cloud Cloud 
Continuous Security Monitoring Inventory Security 
across public cloud infrastructure Assessment 
aws 


wee) 


Google Cloud Platform 


Cloud Inventory 


Cloud Security Assessment 


What is my public cloud usage? 
What is my security posture? 
Do | have any publicly accessible security accounts? 
Are my security groups opening unauthorized access to internet? 


Australian Insurance Company 


Visibility of deployments stop misuse 
of keys | 


AWS sent a notice of compromised keys Largest provider of Auto ~ 
2 : : and Agriculture insurance 
À attempting to create multiple accounts in EU 


F INDUSTRY: Insurance 
Requirement 
e Identify where the deployments are located REGION: Australia 
* Identify S3 buckets that are public and fix it 


* Ensure best practices are followed by IAM users of the account rd 


Primary Cloud - AWS 
Secondary Cloud- Azure 


Solution 

With Qualys Cloud Inventory and Assessment rues stu REGION: 
Y Gain visibility into the global deployments 

Y |dentify S3 buckets that are public and required fixing SERVICES USED: 

Y |dentify the IAM users and their security posture EC2, $5, RDS, EMR, Cloud 


Front 
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Visibility - Get started with a 


FREE service 


CloudView 
A FREE inventory and monitoring 
service for your public clouds 


Use Case#4 
Misconfigured 


Security 
Groups 


Security groups with default 
rule, allowing access on port 
22 5569 


With Qualys Vulnerability 
Mgmt. - Identify Security 
Groups exposing Vulnerable 
instances 


| Service.type:"VPC" 


EVALUATIONS SECURITY POSTURE FAILURES BY CRITICALITY 
Total Evaluations Pass Fail High Medium Low 
1-40f 4 
41 Ensure no security groups allow ingress from 0.0.0.0/0 to port 22 VPC 162 83 
List View 
42 
is Ens >C resource.type:"Instance" and securitygroup.inboundRule.fromPort:22 and securitygroup. inbo 
Polic ule.ipv4Range:0.0.0.0/0 and (not instance.publicIpAddress is null) 
44 Ensi = 
Polic! = 
ù SI n RES UE TT 
n — -= 
0 4 THhOCt  29hOt  : 30hOet SCS SthN 7thNov ———— 


*] Resource Summary 


i-053a4ff0c8841c8de 457721770691 N. Virginia t2.micro Running 
lambda. test 

i-0c84632aeb811f045 457721770691 Ohio t2.micro Running 
WinApp_1 

i-0fd488181b8329f15 457721770691 Ohio t2.micro Running 


IT App. internal. 1 


Use Case#5 
Correlate with 


Vulnerability 
Data 


Identify vulnerable 
instances associated with 
the security groups 


Reduce effort to pull info 
to SIEM for correlation 


© Qualys. Enterprise 


<— Resource Details: sg-08e84245777aa2a62 


Summary Associations 
Rules 

Instances 
Associations 
Tags 


Controls Evaluated 


i-0b0c3f79a6df4ac05 
AJMdkrh03 


i-056756d302b6dbddb 
AJMdkrh02 


i-04b5914b57a4f0055 
Win2016. Test SMN 


i-09f0a433571db4e0d 
ssm-Windows2008R2 


i-074f89785daa759ad 
Ubuntu-Test-SMN 


i-0b49e28d2d963c228 
srv2_grp1 


i-0f40566c694a67ffb 
AJMdkrh01 


ELB 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


N. Virginia 


Reference Security Groups 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


Nov 28, 2018 


running 


running 


running 


running 


running 


running 


running 


1-12 of 12 


1 

— 

1 

ET 

14 
= UN 

0 

0 

0 
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New and 
Upcoming 
Features Remediations 


Threat Analysis 


Reports 


Threat Analysis 


Correlating Vulnerability data to provide risk insights 


Use Cases 


Security Groups allowing 
access on the same ports 
where network vulnerabilities 
have been identified 


Vulnerable EC2 Instances 
with Instance profiles 
accessing S3 buckets 


Coming Dec. 2018 


© Qualys. Enterprise 


< Resource Details: sg-5c324e25 


Summary 


Threat Details 


IMPACTED RESOURCES 


Rules 
Associations OPEN PORT VULNERABILITIES 
at 


PORTS WITH TREATS 
Tag 
mon AT 


Threats 
Controls Evaluated 


240) per Siu 


Actions v | | Show Issues by: Ports 
RULES 
PORT TYPE PROTOCOL PORT RANGE SOURCE FORT WITH THREATS IMPACTED INSTANCES VULERABILITIES 
80 Custom TCP 0-100 0.0.0.0/0 9 2 2 
8080 Custom TCP 8080 0.0.0.0/0 9 2 2 
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Remediation 
Automate in real time actions to protect against risks 


Make the object private, 
where necessary 


User AWS Lambda 
F PutObject —o— ii © Deliver event when ID 


PutObjectAcl the rule matches 


Lambda function that Integration into Qualys 
reads the state of the S3 Cloud View (Coming in 
bucket, updates to make G@T2019) 
bucket and its object 
private. e Collect evaluation results 

* Execute update 

permissions 
© Quays. 


Coming 
Jan'19 


Cloud Infrastructure Reports 


@ Oualys. Enterprise 
Generate reports for CIS 
CloudView DASHBOARD RESOURCES MONITOR REPORTS CONFIGURATIONS Dave Jones (qyays_dj) 


Benchmarks, mandates 
like PCI, HIPAA, | 
ISO27001, NIST 800-53... n 


: M Actions v 
Configure for specific PS 


REPORT TITLE 
PCI Report for MyAWS Storefront 


accounts, and regions PCI Report for MYAWS Gs noue 


Create 05/23/2018 at 00:09:52 Company Qualys 
Run N Created by: HariSfinivasan re 501 The Metropolitan 
User name: quays qd Wekdewed 
CIS Report for myaws Peer bead Manager Pune, Maharashtra 411005 
Delete 


Schedule reports for 
daily, weekly or monthly 


Coming Jan. 2019 


Azure CIS 1.0.0 Benchmark Controls 


~ 40 checks 


Azure Assets Evaluated 

- Azure Virtual Machines 
Azure Virtual Networks 
Azure Blob Storage 

- Azure Network Security 
groups 

Azure SQL Databases 

- Azure Security Center 
Storage Accounts 


- Logging & Monitoring 
services 


e 


e 


. 


Coming Dec. 2018 


CloudView 


Microsoft Azure v 


31 


Total Controls Evaluated 


CONTROL RESULT 


FAIL 
PASS 


SERVICES 
Security Center 
SQL Servers 
Storage Account 
Virtual Machines 
Monitor 

2 more 


Q Sear 


EVALUATIONS SECURITY POSTURE 


227 


DASHBOARD RESOURCES MONITOR POLICIES CONFIGURATION 


76 151 


FAILURES BY CRITICALITY 


Coming 
Dec'18 


Raghav Kulkarni (quays rk) ^ 


0 


Last 90 Days v = 


0 


Total Evaluations Pass Fail Medium Low 
1-31 of 31 
18 
13 CID ROL NAME SERVICE 
50001 Ensure that ‘Data encryption' is set to ON for a SQL database ECE SQL Servers 7 
Policy : CIS Microsoft Azure Foundations Benchmark ote feud. 
19 
5 50002 Ensure no SQL Servers allow ingress from Internet (ANY IP) ECH SQL Servers 1 4 
2 Policy : CIS Microsoft Azure Foundations Benchmark Se 
3 3 
1 50003 Ensure that ‘Adaptive Application Controls' is set to On ECHE Security Center — 1 
Policy : CIS Microsoft Azure Foundations Benchmark RE 
50004 Ensure that ‘Automatic provisioning of monitoring agent' is set to On [ HIGH | Security Center 1 
Policy : CIS Microsoft Azure Foundations Benchmark "Tota Resources T 
50005 Ensure that 'System updates' is set to On ECHE Security Center 1 
Policy : CIS Microsoft Azure Foundations Benchmark ree 
‘otal Resources: 1 
50006 Ensure that Security Configurations! is set to On | HIGH) | Security Center — 1 
Policy : CIS Microsoft Azure Foundations Benchmark Toil nel 
50007 Ensure that ‘Endpoint protection’ is set to On ECHE Security Center 


Policy : CIS Microsoft Azure Foundations Benchmark 


Total Resources: 1 


© Qualys. 


Qualys Cloud Security - 
Comprehensive Coverage 


© 


AWS Q | 
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Thank You 


Clément Gajewski 
cgajewski@qualys.com 
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